Hi all,
I am working on MiniFilter driver, and intercepted on PostOperationCallback IRP_MJ_DIRECTORY_CONTROL AND IRP_MN_QUERY_DIRECTORY to Hide File of Folder list.
Its working fine when accessing via explorer, but when I used command prompt to and typed command “DIR” then I can see file/folder.
Note : its working fine on Windows XP problem with Windows 7.
Please, let me know if anybody know the solution…
Thanks
- use process monitor tool to see which requests dir sends and what you
return
- are you sure you handle e.g. SL_RESTART_SCAN, SL_RETURN_SINGLE_ENTRY
flags?
- do you distinguish between returning STATUS_NO_SUCH_FILE /
STATUS_NO_MORE_FILES?
- check Information value you return
do you hide one entry or multiple entries?
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@yahoo.com
Sent: Wednesday, February 02, 2011 8:37 AM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] IRP_MJ_DIRECTORY_CONTROL … ISSUE in Windows 7
Hi all,
I am working on MiniFilter driver, and intercepted on PostOperationCallback
IRP_MJ_DIRECTORY_CONTROL AND IRP_MN_QUERY_DIRECTORY to Hide File of Folder
list.
Its working fine when accessing via explorer, but when I used command
prompt to and typed command “DIR” then I can see file/folder.
Note : its working fine on Windows XP problem with Windows 7.
Please, let me know if anybody know the solution…
Thanks
NTFSD is sponsored by OSR
For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
Last time I saw that behavior in the Win32/Zbot virus. Explorer and
Total Commander doesn’t show a file, but if you query the directory
with a bit less usual file info class, you can see the file there.
Go go malware writers, fix your code.
L.
File hiding is used in much more than malware. Plus it is not supposed to stop a savvy user who has physical
access to the computer but others.
And to the OP: make sure you check all possible info classes, DOS prompt uses FileNamesInformation unlike
Explorer, IIRC.
xxxxx@volny.cz wrote:
Last time I saw that behavior in the Win32/Zbot virus. Explorer and
Total Commander doesn’t show a file, but if you query the directory
with a bit less usual file info class, you can see the file there.
Go go malware writers, fix your code.
L.
NTFSD is sponsored by OSR
For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
–
Kind regards, Dejan (MSN support: xxxxx@alfasp.com)
http://www.alfasp.com
File system audit, security and encryption kits.
I do not think its a bug in windows 7, though a change is quite possible.
IIRC cmd send something different than the combination you are intercepting(IRP_MJ_DIRECTORY_CONTROL AND IRP_MN_QUERY_DIRECTORY). Just check with filespy, intercept that and it should work.
Hi all,
Thanks to all of you for support, I traced out IRP messages and found the solution.
IRP_MJ_DIRECTORY_CONTROL and IRP_MN_QUERY_DIRECTORY is correct way to intercept for directory, So, I compared its buffer with class of “FileFullDirectoryInformation” thats working fine to hide files/folders when accessing via command prompt.
Now, problem with the search element in the start menu item, I compared all classes :
FileBothDirectoryInformation
FileDirectoryInformation
FileFullDirectoryInformation
FileIdBothDirectoryInformation
FileIdFullDirectoryInformation
FileNamesInformation
FileObjectIdInformation
FileReparsePointInformation
But, I didn’t get in buffer in this condition.
Means, when I search this hidden files/folder in search of start menu then it show this file.
Thanks